Active Directory Basics & Implementation in

Satyam
 Agenda

 Differences between NT 4.0 & Windows 2003 Active Directory

 Pain Areas in old structure (Users & Admin Perspective)
 What is Active Directory
 Important Terms in Active Directory
 Active Directory Logical Components
 Active Directory Physical Components
 Active Directory Partitions
 Global Catalog
 DNS
 Operations Masters
 Replication in Active directory
 Site links - Site link Bridges
 AD Implementation in Satyam
 Q&A
Differences between NT 4.0 & Windows 2003 Active
Directory

NT 4.0:

 PDC & BDC Concept

 Only readable copies in BDCs
 Trusting is required for resource accessing.
Primary Domain Controller (PDC)

Backup Domain Controller (BDC)

 Windows 2003 Active Directory
Domain Controllers (DC)
 No PDC & BDC Concept
 Multi master Replication
 Writable copies on all DCs.
 Compressed replication information

Domain Controllers Domain Controllers (DC)

(DC)
 Pain areas in Old Environment

Admin :

Associate moves from one location to other location

Trusting
Giving access to other domain ID
And many more ….

User :

When transfers from one site to other site

When tries to login from other location and if there is no trusting
Need to remember the domain name
Cross domain authentication
Any many more ….
 What is Active Directory?

 The database that holds information about component locations, users,

groups, passwords, security, and other information

 Active Directory allows administrators to define, arrange and Manage

objects & Network resources

 Objects in Active Directory are logically organized into a hierarchical

structure.

 Active Directory is Microsoft’s version of an LDAP based network directory

service
What is Active Directory
Active Directory Supported Technologies
Active Directory Users & Computers Console
Active Directory Naming Conventions
Active Directory Logical Components
Trees and Forests
 Forests

 Hierarchy of Domains forming a contiguous or disjoint namespace

 Transitive Trust Relationships

All Domains in a Forest share:

Schema
Configuration
Global Catalog

 All trees use the same schema

 All trees use the same global catalog

 Domains enable administration of commonly associated objects

 Two-way transitive trusts between domains

 Domain Trees

Domains that are grouped together in hierarchical structures

are called domain trees

Hierarchy of Domains forming a contiguous DNS namespace

All domains in a Tree share:

Schema
Configuration
Global Catalog
 Domains

Core functional units in the Active Directory logical structure

Domains are a collection of administratively defined objects that
share
 Common directory database
 Security policies
 Trust relationships with other domains

Domains provide the following three functions:

 An administrative boundary for objects
 A means of managing security for shared resources
 A unit of replication for objects
Satyam Domain
 Organizational units

Organizational Units:

Grouping of objects within a domain

Enables the delegation of server administration roles

Groups objects according to management tasks

Provides the ability to administer objects with

Group Policies

Groups objects with similar security access

can be nested within other OUs
Delegation of Administrative roles
Trusts
 Schema

 Defines the object classes and their attributes that can be

contained in Active Directory

 Each object class contains a globally unique identifier (GUID)

 Unique number associated with an object name

 An object class may have required and optional attributes

 Each attribute is given a version number and date when created

or modified
 Allows updates on only that value in all DCs

Windows Server 2003 has several default object classes

Schema
Logical Structure of Active Directory

Domain Tree Domain

Domain
Domain Domain

OU
Objects
Domain Domain

OU OU

Domain

Organizational Unit

Forest
AD Physical Structure

Sites

Domain Controllers
Sites

Domain Controllers
Site
WAN Links

WAN Link

Site Domain Controllers

 Sites

 Sites are groups of well-connected computers/IP Subnets

 Domain controllers within a single site communicate frequently.

 Minimizes the latency within the site
 Optimize the use of bandwidth between domain controllers

 Groups objects by physical location to identify the fastest route between

clients and servers and between DCs

 Is used for DC replication

 Sets up redundant paths between DCs
 Coordinates replication between sites with a bridgehead server

 Is composed of only two types of objects:

 Servers
 Configuration objects
Sites
 Domain Controllers

 Computers which are with Microsoft Windows Server 2003 or

Windows 2000 Server OS, and Active Directory

 Each domain controller performs storage and replication

functions

 A domain controller can support only one domain

 To ensure continuous availability of Active Directory, each

domain should have more than one domain controller
 What Is the Global Catalog?

A repository that contains a subset of the attributes of all objects in

Active Directory
Global catalog contains:
The attributes that are most frequently used in queries, such as
user’s first name, last name, and logon name.
The information that is necessary to determine the location of
any object in the directory.
A default subset of attributes for each object type. The access
permissions for each object and attribute is stored in the global
catalog.
Authenticates users when they log on

Provides replication of key Active Directory elements

Global Catalog Server
 Active Directory Partitions

Each domain controller contains the following Active Directory partitions:

 The domain partition contains replicas of all of the objects in that

domain. The domain partition is replicated only to other domain
controllers in the same domain.

 The configuration partition contains the forest topology. Topology is a

record of all domain controllers and the connections between them in a
forest.

 The schema partition contains the forest-wide schema. Each forest has
one schema so that the definition of each object class is consistent. The
configuration and schema partitions are replicated to each domain
controller in the forest.

 Optional application partitions contain objects that are unrelated to

security and that are used by one or more applications. Application
partitions are replicated to specified domain controllers in the forest.
 Domain Name System

 DNS is fundamental to AD
No DNS == No AD

 DNS is a globally distributed database that manages IP addresses

on the internet.

 DNS uses a hierarchy of domains on the internet.

- Top level domains use the familiar names like .com, .edu, .
.gov
- The second level are registered to organizations
who have a presence on the web.

 Active Directory is designed to exist within

the scope of the Global DNS Namespace.
DNS Hierarchy
 Active Directory requires DNS

Used to locate services

E.g. client locating domain controller
Domain controller locating replication partners

 Active Directory requires SRV record support

 Active Directory prefers dynamic registration (DDNS)

Zone Transfer Process
 Operation Masters

Forest Wide Roles

 Schema Master
 Domain Naming Master

Domain Roles
 Primary domain controller emulator (PDC)
 Relative identifier master (RID Master)
 Infrastructure master
Schema Master:
Perform updates to schema
Sends updates to all DCs
One per forest
Default is the first DC installed

Domain Naming Master:

Performs add/remove of domains and cross-references to external DS
One per forest
Default is the first DC installed

Primary Domain Controller (PDC)

Acts as a PDC for requests from NT clients
One per domain

Relative Identifier (RID)

Generates pools of security identifiers to be distributed to DCs in the domain
One per domain

Infrastructure
Updates SIDs and domains that are moved in and out of the domain
 Replication in Active Directory

What is Replication:

-Replication is the process of sending update information

for data that has changed in the directory to other domain
controller

Multimaster replication
- Any change on one DC is replicated to all other DCs
- If one DC fails, there is no visible network interruption

Replication can be set to occur at preset intervals instead of as soon

as update occurs

Network traffic due to replications is reduced by:

- Replicating individual properties instead of entire
accounts
- Replicating based on the speed of the network link
- Replicate more frequently over a LAN than a WAN
 Replication in Active Directory

Replication Topologies

Intra-Site Replication : AD replication between DCs

within a Site
Inter-site Replication : AD replication between Sites
Intra-Site Replication Inter-site Replication
   
RPC Replication in a Site Replication between Sites
No compression DS-RPC (RPC over IP) or
Assumes good network connections SMTP Transports
Uses notification process SMTP can be used only between
5 minute pause interval  GCs across Sites
KCC Generates a bi-directional Ring with  DCs of different domains and in
extra edges different sites
  Compression

  10%-20% of original size

   Scheduled
 Types of Replication
Domain B
Domain A Controller
Controller
Domain A
Controller

Intra-Site
Intra-Site Inter-Site
Inter-Site
Replication
Replication Replication
Replication

Site 1

Domain B Domain C
Controller Domain B
Controller Controller
Domain A Domain A
Controller Site 2 Controller

Domain C Domain C
Controller Controller
 Site Links , Site link Bridges

Site Link:

 Site Links link two or more sites

 Cost and schedules can be
specified
 Transitive (can be disabled)

Site Link Bridge:

Bridge two or more site links

 What we have learnt so far…

Differences between NT 4.0 & Windows 2003 Active Directory

Pain Areas in old structure (Users Perspective & Admin Perspective)

What is Active Directory

Important Terms in Active Directory

Active Directory Logical Components

Active Directory Physical Components

DNS

Operations Masters

Replication in Active directory

Site links - Site link Bridges

Group policy basics
Active Directory Implementation
in
SATYAM
 In a nut shell….

 Empty root domain

 Single Child domain

 Root domain name

DNS : satyam.ad
NetBIOS : Root

 Child domain name

DNS : Corp.satyam.ad
NetBIOS : Satyam
 Site : Each Physical subnet is a site.

 DC : One DC at each location

 GC : Each DC will act as GC

 Replication hubs : 2 (In HYD & Chennai)

 Site links : Each site will have a site links to Hub sites

 Site link bridges : No

 Replication time : Every 30 minutes

AD Replication diagram
Any further questions ………?
Hope this session is useful one….

Thanks

With SMILE